[NCSG-PC] [Public Comment] review the NCSG comment on EPDP initial report
Kathy Kleiman
kathy at kathykleiman.com
Mon Dec 17 01:33:57 EET 2018
Hi All,
I have spent the better part of today adding edits to our EPDP comment.
Per Amr's request, I looked closely at the UDRP and URS issues,
Questions 14, 15, and 16. Yes, there are certainly issues we need to
address -- including the publication of registrant contact information
in a decision. If the only place you learn about a registrant is in a
/published /UDRP or URS decision, is that fair? What if the registrant
wins; still publish the personal data? What if the sole purpose of
filing the UDRP or URS is to "out" the registrant (something I am
hearing whispered about a lot in intellectual property hallways)? Also,
should the registrant's attorney and his/her contact information be
automatically published? What if it is one human rights group helping
another human rights group?
As the Request for Comments note, some of this should go to the RPM WG.
I agree, and in Phase 1 of our RPM WG review, involving the URS and
Trademark Clearinghouse, we have already prepared draft policy
recommendations for the URS that include amending the rules for
GDPR-related requirements. All good.
But what struck me as utterly disastrous is the PDDRP and RRDRP in other
questions, including Purpose 6 and in the broad buckets of Question 14.
/Unlike the UDRP and URS, PDDRP and RRDRP are not proceedings against
the registrant, but against the registry! The disclosure of the
personal data of thousands or even (potentially) millions of innocent
and good-faith registrants is a stunning leap of insanity. /Just because
you sue GM does not mean you get the name and address of everyone who
owns a GM car (!)
I've explained in detail what the Trademark Post-delegation Dispute
Resolution Policy (PDDRP) and Registry Restriction Dispute Resolution
Procedure (RRDRP) in our draft comments (pasted some of it in the "p.s."
below). Everywhere I saw a grouping of UDRP, URS, PDDRP and RRDRP (as
well as "future developed domain name registration related dispute
procedures," which could mean anything, any future type of proceeding
against the registry, registrar, ICANN or the registrant --it's a
completely unbounded term), I objected with information and discussion
on behalf of NCSG. Happy to discuss! (Note: PDDRP was the first part of
our RPM WG review at the start of Phase 1.)
_Other issues_
I'm also deeply troubled about the continuing collection and processing
of the street address in the RDDS. State and even city I can
understand, but street address? This is a piece of data collected
largely for the processing of credit card data, and like credit card
data, it should be kept locally by the registrars. To transmit this data
is to expose individuals and organizations (including the many
religious, philosophical, racial, ethnic, political, trade union,
health, gender, sexual orientation directly protected under Article 9 of
the GDPR) to prosecution and persecution. The idea that every
pro-democracy website and its registrants might be requested by law
enforcement in China (as a violation of Chinese criminal law) although
the registrant, registrar and registry are all based in the US/Europe
and protected under the US First Amendment and UN Declaration of Human
Rights Article 19 has haunted me since I worked for PIR. Getting rid of
the street address, and forcing foreign governments and agents to go
through registrars and local law will provide critical due process and
procedural protections for individuals and organizations.
Whoever wrote the response to Recommendation #2: Standardized Access was
brilliant. It is exactly right (although I would make it emphatic): "The
NCSG would prefer to replace the term “Standardized Access to nonpublic
Registration Data” with the term “Lawful disclosure of nonpublic
registration data to third parties with legitimate interests.”" As we
heard at the Public Forum in Barcelona, IP & WIPO support a general "IP
request" and law enforcement wants a vague and general "we want it
because we want it" request. But such a request of individuals and
religious, philosophical, racial, ethnic, political, trade union,
health, gender, sexual orientation is not right or legal under GDPR. For
it does not give the information necessary to make the imporarnt
evaluation required under GDRP Article 6(f) -- including whether the
"fundamental rights and freedoms of the data subject" are put at risk.
The GDPR is eminently practical: the "fundamental rights and freedoms
of the data subject" (including organizations) is paramount. That
requires data and detail to weigh and balance -- not choosing a pull
down slot "IP infringement" or "law enforcement demand."
/(GDPR Article 6://1. “Processing shall be lawful only if and to the
extent that at least one of the following applies:” //*** //“(f)
processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data,
in particular where the data subject is a child.”)/
It's getting interesting, Folks! Tx so the amazing EPDP and I hope my
hours today help!
Best, Kathy
p.s. More on the PDDRP and RRDPR (from the EPDP Comment):
"These are proceedings against the Registry itself. In the “Trademark
Post-Delegation Dispute Resolution Procedure (Trademark PDDRP) (note:
the only type of PDDRP that exists), the proceeding is against **the
Registry** (not the Registrant). The allegation is as follows:
=> ‘The Trademark PDDRP generally addresses a Registry Operator's
complicity in trademark infringement on the first or second level of a
New gTLD. At least 30 days prior to filing a formal complaint, a rights
holder must notify the Registry of the alleged infringing conduct and
express a willingness to meet to resolve the issue. Review the Trademark
PDDRP [PDF, 181 KB].” https://newgtlds.icann.org/en/program-status/pddrp
"To the extent in a PDDPR that the Registryis also the registrant of
domain names used for abuse, it is likely those domain names will be
used as part of the pattern of conduct of the Registry. But to the
extent that there may be thousands or even millions of innocent domain
name registrants within a gTLD accused of complicity with trademark
infringement at a registry-scale, there is absolutely no waiver of
interest and no relinquishing of privacy for the purpose of pursuit of
an arbitration against an entirely different third party (the Registry).
Accordingly, processing the personal data of registrants for the
purpose of “coordinating, operationalizing and facilitating” a PDDRP
dispute between a trademark owner and an ICANN Registrycannot be one
which by definition includes the registration data of all registrants --
domain name registrants are not accused in the PDDRP
"Ditto for the Registry Restriction Dispute Resolution Procedure (RRDRP)
which is similarly a proceeding in the New gTLD Applicant Guidebook
against the Registry itselfand the allegation is as follows:
=> “The RRDRP is intended to address circumstances in which a
community-based New gTLD Registry Operator deviates from the
registration restrictions outlined in its Registry Agreement.”
https://newgtlds.icann.org/en/program-status/pddrp
"The proceeding for an RRDRP, as with the PDDRP above, is expressly
against the Registry. In the future, there may be thousands or even
millions of innocent domain name registrants completely in compliance
with the community-based standards of a community-based gTLD. It is
absolutely inconsistent with the GDPR or with an notion of registrant
privacy and protection to deep all registrants of a gTLD have consented
or in any way agreed to the disclosure of their personal information
should the titans (large organizations and registries) fight in a RRDRP.
There is no legal basis for the RDDS disclosure of the data of innocent
and good faith registrants in a PDDRP or RRDRP proceeding."
On 12/13/2018 10:00 PM, Ayden Férdeline wrote:
> I support the submission of this comment.
>
> Ayden
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, 13 December 2018 20:59, Rafik Dammak
> <rafik.dammak at gmail.com> wrote:
>
>> Hi all,
>>
>> this is critical and urgent. The deadline for submission is quite
>> strict.
>> please review and comment the draft response to EPDP initial report.
>>
>> Best Regards,
>>
>> Rafik
>>
>> ---------- Forwarded message ---------
>>
>> Hi all,
>>
>> The representatives to EPDP team prepared a draft comment from NCSG
>> on the initial report. You can find it here
>> https://docs.google.com/a/mozillafoundation.org/document/d/1iRZUXqSUJ2FaPEeytbH28wJmRamsmio-kzijQmBF2IE/edit
>> . You can find the initial report here
>> https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-initial-2018-11-21-en.
>> The deadline for submission is the 21st December.
>>
>> The public comment is using google form, that explains why the draft
>> may look long as it includes the questions and explanation. Our draft
>> responses are in red.
>> This public comment is an important milestone for EPDP and for NCSG
>> to submit the comment. It is also important to encourage to have more
>> input.
>>
>> Best Regards,
>>
>> Rafik
>>
>
>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20181216/a95388c1/attachment.htm>
More information about the NCSG-PC
mailing list